From d6219ca767ce935a1b41adacbeb035b2561010db Mon Sep 17 00:00:00 2001
From: Timo Reichl <thetredev@gmail.com>
Date: Wed, 7 Dec 2022 19:16:19 +0100
Subject: [PATCH] .github/workflows: Add workflow to scan latest tagged base
 image for CVEs every night

Signed-off-by: Timo Reichl <thetredev@gmail.com>
---
 .github/workflows/cve-scan.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/cve-scan.yml

diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
new file mode 100644
index 0000000..a5bbeb3
--- /dev/null
+++ b/.github/workflows/cve-scan.yml
@@ -0,0 +1,30 @@
+name: Check for CVEs on latest tagged image every night
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+env:
+  IMAGE_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
+  CRANE_IMAGE: "gcr.io/go-containerregistry/crane:v0.11.0"
+
+jobs:
+  cve-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - id: latest_image
+        name: Get latest image
+        run: |
+          # Get latest tag for base image
+          latest_tag=$(docker run --rm ${CRANE_IMAGE} ls ${IMAGE_REPOSITORY} | grep base | tail -1)
+
+          # Set output to latest image
+          echo "url=${IMAGE_REPOSITORY}:${latest_tag}" >> $GITHUB_OUTPUT
+
+      - name: Scan for CVEs
+        uses: aquasecurity/trivy-action@0.8.0
+        with:
+          image-ref: "${{ steps.latest_image.outputs.url }}"
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'